Download - Risk management ii
Transforming Lives. Inventing the Future. www.iit.edu
I ELLINOIS T UINS TI TOF TECHNOLOGY
ITM 578 1
Risk Management II
Ray TrygstadITM 578 Section 071Spring 2004Master of Information Technology & Management ProgramCenter for Professional Development
Slides based on Whitman, M. and Mattord, H., Principles of Information Security; Thomson Course Technology 2003
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives: Upon completion of this lesson the student
should be able to:– Explain why risk control is needed in today’s
organizations– Recall risk mitigation strategy options for
controlling risks– Identify the categories that can be used to
classify controls– Discuss the conceptual frameworks that exist for
evaluating risk controls– Formulate a cost benefit analysis when required– Describe how to maintain and perpetuate risk
controls
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction Competitive advantage vs. competitive
disadvantage– The need to avoid falling behind the competition
To achieve competitive advantage, organizations must design and create a safe environment in which business processes and procedures can function
Environment must maintain confidentiality, privacy and integrity of organizational data
Objectives are met through the application of the principles of risk management
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Management Risk management is:
– The process of identifying vulnerabilities in an organization’s information systems and
– Taking carefully reasoned steps to assure the confidentiality, integrity, and availability of all the components in the organization’s information systems
Primary deliverable from risk assessment is a list of documented vulnerabilities ranked by criticality of impact
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Control Strategies When risks from information security threats
create competitive disadvantage, information technology and information security communities of interest take control of risks
Four basic strategies are used to control risks resulting from vulnerabilities: – Apply safeguards (avoidance) – Transfer the risk (transference)– Reduce the impact (mitigation)– Inform themselves of all of the consequences and
accept the risk without control or mitigation (acceptance)
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
Avoidance Attempts to prevent exploitation of the
vulnerability Preferred approach, as it seeks to avoid risk
in its entirety rather than dealing with it after it has been realized
Accomplished through – Countering threats– Removing vulnerabilities in assets– Limiting access to assets and/or
Adding protective safeguards
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
Avoidance: Areas of Control
Three areas of control:– Policy– Training and education– Technology
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Transference Control approach that attempts to shift the
risk to other assets, other processes, or other organizations– If an organization does not already have quality
security management and administration experience, it should hire individuals or firms that provide such expertise
– Allows organization to transfer risk associated with the management of these complex systems to another organization with established experience in dealing with those risks
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
Mitigation Attempts to reduce impact of exploitation
through planning and preparation Three types of plans:
– disaster recovery planning (DRP)– business continuity planning (BCP)– incident response planning (IRP)
Most common: disaster recovery plan or DRP Actions to take while the incident is in
progress are in the incident response plan or IRP
Longer term issues are handled in the business continuity plan or BCP
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
Plan Description Example When Deployed Time Frame
Incident Response Plan (IRP)
Actions an organization takes during incidents (attacks)
List of steps to be taken during disaster
Intelligence gathering Information analysis
As incident or disaster unfolds
Immediate & real-time action
Disaster Recovery Plan (DRP)
Preparations for recovery should a disaster occur; strategies to limit losses before and during disaster; step-by-step instructions to regain normalcy
Procedures for the recovery of lost data
Procedures for the reestablishment of lost services
Shut-down procedures to protect systems and data
Immediately after the incident is labeled a disaster
Short-term recovery
Business Recovery Plan (BRP)
Steps to ensure continuation of business when the scale of a disaster requires relocation
Preparation steps for activation of secondary data centers
Establishment of a hot site in a remote location
Immediately after it is determined that the disaster affects the cont-tinued operations of the organization
Long-term recovery
Mitigation SummaryTable 5.1 Summaries of mitigation plans
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
Acceptance Doing nothing to close a vulnerability and to accept
the outcome of its exploitation Valid only when:
– Level of risk determined– Probability of attack assessed– Potential damage estimated– Thorough cost benefit analysis completed– Controls using each appropriate feasibility evaluated– Conscious decision made that the particular function,
service, information, or asset does not justify the cost of protection
Risk appetite describes the degree to which an organization is willing to accept risk as a trade-off to the expense of applying controls
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
Mitigation Strategy Selection
Level of threat and value of the asset play a major role in the selection of strategy
Following rules of thumb can be applied in selecting the preferred strategy
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
Mitigation Strategy Selection RulesWhen a vulnerability exists implement
assurance techniques to reduce the likelihood of a vulnerability’s being exercised
When a vulnerability can be exploited, apply layered protections, architectural designs, and administrative controls to minimize the risk or prevent this occurrence
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
Mitigation Strategy Selection RulesWhen the attacker’s cost is less
than his/her potential gain, apply protections to increase the attacker’s cost
When potential loss is substantial, apply design principles, architectural designs, and technical and non-technical protections to limit the extent of the attack, thereby reducing the potential for loss
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Handling Decision PointsViableViablethreatsthreats
System asSystem asdesigneddesigned
RiskRiskexistsexists
VulnerabilityVulnerabilityexistsexists
Is systemIs systemvulnerable?vulnerable?
Is systemIs systemexploitable?exploitable?
Is the attacker’sIs the attacker’sgain > loss?gain > loss?
Is expected Is expected loss > organization’sloss > organization’s
acceptable level?acceptable level?
Threat andThreat andvulnerabilityvulnerability
existexist
No riskNo risk No riskNo risk
Risk canRisk canbe acceptedbe accepted
Risk canRisk canbe acceptedbe accepted
Risk isRisk isunacceptableunacceptable
No
Yes
No
Yes
No
Yes
No
Yes
Figure 5-2
Risk Handling Decisions
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Control Cycle
AdequateAdequatecontrols?controls?
IdentifyIdentifyinformationinformation
assetsassets
AcceptableAcceptableRisk?Risk?
Prepare rankedPrepare rankedvulnerability risk vulnerability risk
worksheetworksheet
DevelopDevelopcontrol strategycontrol strategy
& plans& plans
ImplementImplementcontrolcontrol
AssessAssesscontrolcontrol
Plan forPlan formaintenancemaintenance
Measure riskMeasure riskto informationto information
assetasset
No
Yes
No
Yes
Figure 5-3 Risk Control Cycle
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Categories of ControlsControlling risk through avoidance,
mitigation, or transference may be accomplished by implementing controls or safeguards
One approach to selecting controls is by category:– Control Function– Architectural Layer– Strategy Layer– Information Security Principles
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Control Function - PreventativeControls or safeguards designed to
defend the vulnerability are either preventive or detective
Preventive controls stop attempts to exploit vulnerability by implementing enforcement of an organizational policy or a security principle, such as authentication or confidentiality
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Control Function - PreventativeDetective controls warn of violations
of security principles, organizational policies, or attempts to exploit vulnerabilities
Detective controls use techniques such as audit trails, intrusion detection, or configuration monitoring
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
Architectural Layer Some controls apply to one or more layers of
an organization’s technical architecture Among the architectural layer designators in
common use are: – organizational policy– external networks– extranets (or demilitarized zones)– Intranets (WAN and LAN)– network devices that interface network zones
(switches, routers, firewalls, and hubs)– systems (computers for mainframe, server or
desktop use)– applications
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Strategy Layer
Controls are sometimes classified by the risk control strategy they operate within: – avoidance– mitigation– transference– acceptance
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
Information Security PrinciplesControls operate within one or more
of the commonly accepted information security principles:– Confidentiality – Integrity – Availability– Authentication– Authorization – Accountability– Privacy
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Feasibility Studies & the Cost Benefit Analysis
Before deciding on the strategy for a specific vulnerability all information about the economic and non-economic consequences of the vulnerability facing the information asset must be explored
Fundamentally we are asking -“What are the actual and perceived advantages of implementing a control contrasted with the actual and perceived disadvantages of implementing the control?”
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Cost Benefit Analysis (CBA) The most common approach for a project of
information security controls and safeguards is the economic feasibility of implementation
Begins by evaluating the worth of information assets to be protected + loss in value if those information assets are compromised
An organization should not spend more to protect an asset than the asset is worth
Formal process to document called cost benefit analysis or an economic feasibility study
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
CBA: Cost Factors
Some of the items that impact the cost of a control or safeguard include:– Cost of development or acquisition – Training fees – Cost of implementation – Service costs – Cost of maintenance
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
CBA: BenefitsBenefit is the value that the
organization recognizes by using controls to prevent losses associated with a specific vulnerability
Usually determined by valuing the information asset or assets exposed by the vulnerability & determining how much of that value is at risk
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
CBA: Asset Valuation The process of assigning financial value or
worth to each information asset Involves estimation of real and perceived
costs associated with the design, development, installation, maintenance, protection, recovery, and defense against market loss for each set of information bearing systems or information assets
There are many components to asset valuation
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
CBA: Loss Estimates Once the worth of various assets is estimated
examine the potential loss that could occur from the exploitation of vulnerability or a threat occurrence
Process results in estimate of potential loss per risk
The questions that must be asked include:– What damage could occur, and what financial
impact would it have?– What would it cost to recover from the attack, in
addition to the costs above?– What is the single loss expectancy for each risk?
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
CBA: ALE & ARO Expected value of a loss:
– Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO) where:SLE = asset value x exposure factor (EF)
ARO is simply how often you expect a specific type of attack to occur, per year
SLE is calculation of the value associated with the most likely loss from an attack
EF is the percentage loss that would occur from a given vulnerability being exploited
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
CBA: Formula CBA is whether or not the control alternative
being evaluated is worth the associated cost incurred to control the specific vulnerability
While many CBA techniques exist, for our purposes, the CBA is most easily calculated using the ALE from earlier assessments
CBA = ALE(prior) – ALE(post) – ACS Where:
– ALE prior is the Annualized Loss Expectancy of the risk before the implementation of the control
– ALE post is the ALE examined after the control has been in place for a period of time
– ACS is the Annual Cost of the Safeguard
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Benchmarking Rather than use the financial value of
information assets, review peer institutions to determine what they are doing to protect their assets (benchmarking)
When benchmarking, an organization typically uses one of two measures: – Metrics-based measures are comparisons based
on numerical standards– Process-based measures examine the activities
performed in pursuit of its goal, rather than the specifics of how goals were attained
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
Due Care/Due Diligence When organizations adopt levels of security
for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances – Referred to as a standard of due care
Due diligence – Demonstration that the organization is diligent in
ensuring that the implemented standards continue to provide the required level of protection
Failure to support a standard of due care or due diligence can open an organization to legal liability
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Best Business Practices Security efforts that provide a superior level
of protection of information are referred to as best business practices
Best security practices (BSPs) are security efforts among the best in the industry
When considering best practices for adoption in your organization, consider the following:– Does your organization resemble the identified
target?– Are the resources you can expend similar? – Are you in a similar threat environment?
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Microsoft’s Ten Laws of Security1. If a bad guy can persuade you to run his
program on your computer, it’s not your computer anymore
2. If a bad guy can alter the operating system on your computer, it’s not your computer anymore
3. If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore
4. If you allow a bad guy to upload programs to your web site, it’s not your web site anymore
5. Weak passwords trump strong security
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Microsoft’s Ten Laws of Security6. A machine is only as secure as the
administrator is trustworthy7. Encrypted data is only as secure as the
decryption key8. An out of date virus scanner is only
marginally better than no virus scanner at all
9. Absolute anonymity isn’t practical, in real life or on the web
10. Technology is not a panaceahttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/10imlaws.asp
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Problems The biggest problem with benchmarking in
information security is that organizations don’t talk to each other
Another problem with benchmarking is that no two organizations are identical
A third problem is that best practices are a moving target
One last issue to consider is that simply knowing what was going on a few years ago, as in benchmarking, doesn’t necessarily tell us what to do next
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Baselining
Baselining is the analysis of measures against established standards
In information security, baselining is comparing security activities and events against the organization’s future performance
When baselining it is useful to have a guide to the overall process
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Organizational FeasibilityOrganizational feasibility examines
how well the proposed information security alternatives will contribute to the efficiency, effectiveness, and overall operation of an organization
Above and beyond the impact on the bottom line, the organization must determine how the proposed alternatives contribute to the business objectives of the organization
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Operational Feasibility
Addresses user acceptance and support, management acceptance and support, and the overall requirements of the organization’s stakeholders
Sometimes known as behavioral feasibility, because it measures the behavior of users
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Operational Feasibility A fundamental principle of systems
development is obtaining user buy-in on a project
One of the most common methods for obtaining user acceptance and support is through user involvement obtained through three simple steps:– Communicate– Educate– Involve
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Feasibility
The project team must also consider the technical feasibilities associated with the design, implementation, and management of controls
Examines whether or not the organization has or can acquire the technology necessary to implement & support the control alternatives
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Political Feasibility For some organizations, the most significant
feasibility evaluated may be political Within organizations, political feasibility
defines what can and cannot occur based on the consensus and relationships between the communities of interest
Limits placed on an organization’s actions or behaviors by the information security controls must fit within the realm of the possible before they can be effectively implemented, and that realm includes the availability of staff resources
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Management Discussion Points Not every organization has the collective will
to manage each vulnerability through the application of controls
Depending on the willingness to assume risk, each organization must define its risk appetite
Risk appetite defines the quantity and nature of risk that organizations are willing to accept as they evaluate the tradeoffs between perfect security and unlimited accessibility
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
Residual Risk
When we have controlled any given vulnerability as much as we can, there is often risk that has not been completely removed or has not been completely shifted or planned for
This remainder is called residual risk
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Residual Risk
To express it another way, “Residual Risk is a combined function of (1) a threat less the effect of some threat-reducing safeguards(2) a vulnerability less the effect of some vulnerability-reducing safeguards(3) an asset less the effect of some asset value-reducing safeguards.”
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Amount of threat reduced by a safeguard
Amount of vulnerability reduced by a safeguard
Amount of asset value reduced by a safeguard
Residual risk: risk that has not beencovered by one of the safeguards
Risk Residual
Risk ResidualFigure 5-4
Risk of information asset
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Documenting Results At minimum, each information asset-
vulnerability pair should have a documented control strategy that clearly identifies any residual risk remaining after the proposed strategy has been executed
Some organizations document the outcome of the control strategy for each information asset-vulnerability pair as an action plan
Action plan includes concrete tasks, each with accountability assigned to an organizational unit or to an individual
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Recommended Practices in Controlling Risk
We must convince budget authorities to spend up to the value of the asset to protect a particular asset from an identified threat
Each and every control or safeguard implemented will impact more than one threat-asset pair
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
Qualitative Measures Spectrum of steps described above performed
with real numbers or best-guess estimates of real numbers is known as a quantitative assessment
However, an organization could determine that it couldn’t put specific numbers on these values
Fortunately, it is possible to repeat these steps using estimates based on a qualitative assessment
Instead of using specific numbers, ranges or levels of values can be developed simplifying the process
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
Delphi Technique One technique for accurately estimating
scales and values is the Delphi Technique The Delphi Technique, named for the Oracle
at Delphi, is a process whereby a group of individuals rate or rank a set of information
The individual responses are compiled and then returned to the individuals for another iteration
This process continues until the group is satisfied with the result
Tra ns fo rm ing Live s . Inve nting the Future . www.iit.edu
ITM 578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
Evaluation, Assessment, and Maintenance of Risk Controls
Once a control strategy has been implemented, effectiveness of controls should be monitored and measured on an ongoing basis to determine the effectiveness of the security controls and accuracy of the estimate of the residual risk